The present invention relates in general to access control for both physical and network based security. More specifically, the present invention relates to a unified apparatus and method for providing physical access control and/or network access control to resources such as buildings, homes, physical infrastructure or information and network systems; where legacy physical security devices and/or network-enabled devices are involved in the access control system.
Security efforts are intended to safeguard people, physical assets (such as physical and intellectual property, and facilities) and information assets. To achieve this objective, a security plan/group typically provides for: controlling access to assets (physical as well as electronic/computerized), monitoring of events and alarms and real-time surveillance at designated locations based on a set of pre-conditions (e.g. policies). In many businesses, organizations or public areas, these security programs have been divided into two parts. One security group and associated system is intended to control access to the physical facilities or resources, and to safeguard authorized and unauthorized visitors. Another security group and associated system is intended to control access for the information systems and network to protect electronic information assets and other network attached devices. Both of these security groups and associated systems manage security risks by controlling access by specified individuals based upon a specific set of criteria, such as time of day.
The type, location, and communications protocols used between components of the physical access control system can vary somewhat; however, in general, the processing of a given physical access control event, and system functionality is the same for all. In a typical physical security (access controlled) environment, the physical security system includes: entry lock mechanisms, entry open/close or other sensors (such as video surveillance cameras), credentials (some form of electronic or physical identification of a device or individual), credential identification input device (e.g. badge reader, Personal Identification Number keypads, biometrics), communication and connectivity devices (e.g. door control panels), credential verification and policy-based access control device (e.g. access control panel), credential and policy creation station (e.g. physical security server), physical security management station (e.g. monitoring, event logging and alarm reporting platform) and facility user list/database (i.e. human resource personnel database).
Physical access control is implemented at ingress and occasionally at egress points of a facility as well as to certain parts or rooms of a facility using various access control devices (ACDs), such as badge readers, electronic locks, and various other door elements. These ACDs actively or passively challenge all users from freely entering, exiting, or accessing a given resource without presenting proper and valid credentials.
Physical access control system credentials may be a plastic card encoded with identifying information, a secret code or password entered at a keypad or other biometric information such as, a fingerprint, or an image of a retina scan. Many organizations provide personnel with credentials in the form of an organization ID or electronic key card with unique information encoded in the form of an electronic identifier or Personal Identification Number. Once the credentials are submitted/read by a badge reader, keypad, etc., the credentials are verified against a list of valid credential holders and its associated policies. These policies may provide other specific requirements for accessing the resource based on time of day, presence of other individuals, etc. or simply send instructions to grant or deny access.
It is common for ACDs (badge readers, biometric readers, electro-mechanical locks, door open/closed sensors (or other contact closures) for a given entrance to be connected by a serial Wiegand connection, a serial RS485 connection, or simple copper cabled contact closures to and aggregated by a door control panel (DCP). The DCP is typically in close proximity to the given entrance or resource under access control. These devices typically communicate via a simple signaling protocol. In many cases, the signaling protocols may be specific to a single vendor's access control products.
The DCP typically connects to multiple and various ACDs. The use of a DCP eliminates the need for each access control device to have its own credential verification and enforcement list or its own dedicated connection to the verification and enforcement device. Some DCPs may have a full or partial credential list; however, this implementation does carry some drawbacks. Given most facilities may have multiple ingress/egress points or require access control of specific rooms or resources within in the facility, it may require additional work to ensure that all DCPs have up to date information. In some cases, it may be necessary to locate certain access control devices outside the secure interior of the facility. Thus, DCPs with credential lists may susceptible to tampering or can be compromised, leading to a security breach, (i.e. the list could be accessed thereby exposing passwords and credentials). Hence, many access control systems offer further centralization of the access control list and associated policies. As such, some DCPs will merely aggregate ACD connections and pass the credential information on to another device for centralized credential verification and policy enforcement, at the Access Control Panel (ACP).
The ACP uses the credential information supplied by the reader(s) connected to a DCP to make a decision whether to grant the bearer ingress or egress rights or to deny the access request. The ACP relies on a physical security server and management station to create the actual list and policies associated with a given set of credentials.
The connection and communication between the ACP and the physical security server can vary, but they are typically based on a serial or modem connection. In some installations, the ACP may use an Ethernet (frame-based) connection to the physical security server but it should be noted those physical access control systems use the Ethernet network for connectivity only. The actual communications between physical access control components is typically proprietary to a single vendor, e.g. the signaling is tunneled in the Ethernet connectivity and communications. Thus, other network resources (other traditional network servers) do not typically communicate with the ACP and are not capable of controlling the ACP. Additionally, security of information systems (e.g. see InfoSec at http://www.cordis.lu/infosec/home.html) concerns regarding unauthorized access or intrusion attacks of a network based ACP are completely unaddressed by nearly every network based ACP provider.
The physical security server ensures that all ACPs have accurate credential and policy information. The physical security server implements a security application for enrolling new credentials, removing expired credentials from the system (to prevent future physical access and defining physical access control policy for each credential at a facility). The physical security server holds the master table of credentials (such as user names, user badge number and other user specific attributes available such as, finger print, retina scan, voice print or other biometric information) and all physical access control policies for all the ACPs under its management. In other words, the server also maintains rules associated with each user to determine when access to a specific portal in an organization is authorized. It updates each ACP to ensure that the correct credentials lists and policies are in place. Thus, rules can be implemented that authorize a user to enter an organization's parking lot, front door, lab door, elevator, supply cabinet, computer network or other areas where the organization desires to control and monitor access. These rules can also be specific for time of day, for certain days of the week, or for a given duration of time. Physical security server also interfaces to a management station.
Physical security servers may be connected via a frame (e.g. Ethernet)/packet (e.g. Internet Protocol)—based network and communicate with other network attached servers, such as a human resource database server; however, they do not provide support functionality for managing network access control or other network security capabilities and furthermore, are not aware of network access events.
The management station provides alarm monitoring and general physical access control administration by physical security personnel. Additionally, it often supports a set of applications for printing and encoding credentials. The management station may be located at a remote site or distributed at several different facilities.
The list of users that are assigned valid credentials and associated policies can come from many sources. In larger organizations or businesses, this potential list may be obtained from the regularly updated employee/human resource database which may be supported via software applications programs from companies such as SAP, PeopleSoft and Oracle. The physical security systems administrator supplies the card, card credentials and associated access rights for a given user.
FIG. 1 illustrates a typical prior art facility access control system 100. Each facility or each floor of a facility will have co-located components 101 that may include several access control devices (ACD) 110 such as electro-mechanical door locks 111, readers 112, door contacts 113, keypads, 114, door alarms 115, motion sensors 116 located at each door or other portal. Additional types of access control devices may include fingerprint sensors, cameras, or other devices, components or software driven identification equipment.
At each door to the facility one or more ACDs 110) are coupled to a dedicated DCP. DCPs may be directly connected to ACP 120 in a star configuration (e.g. DCPs 118 and 119) or coupled in turn to other DCPs which are connected to ACP 120, such as illustrated by DCP 117 and 118. DCPs are typically linked to ACD 120 via RS485 serial cabling. DCPs 117-119 control the operation of ACDs 110 in response to control information provided by ACP 120.
Each ACP 120 controls several DCPs 117-119. For example, ACP 120 may control all the door control panels in a facility, on a particular floor of a multi-floor building or in a particular area of a facility. In most security systems, a serial or an Ethernet link couples ACP 120 to a physical security server 121. The physical security server 121 as well as a physical security management station 122 may be remotely located from the ACPs and centralized within a building or located in a different building.
When a physical access control request event occurs, such as when a person approaches a door, one or more of the ACDs 111-116 generates an input signal to the system. For example, a reader 112 may detect an encoded user ID and transmit the credentials to DCP 117, which performs local message buffering and ACD connectivity aggregation for the door. DCP 117 relays the ACD generated information, in the form of an access request message to the ACP 120. ACP 120 verifies the credentials by comparing the detected credentials against the valid (authorized) credentials list and associated policies to determine if the credential is valid and if a physical access policy is associated with the credential for this ingress/egress point. The valid credential information list and associated access policy are supplied by the physical security server 121 and is transmitted to the ACP prior to the access control event.
If the policy indicates that the door should be opened, an access control response message is transmitted from the ACP 120 to the DCP 117 to instruct it to activate (open) the electro-mechanical lock 111 for that specific door. If the policy is to deny access because the credentials are invalid, an alarm, for example, could be triggered or sent to management station 122 and the door remains locked.
A different and separate system controls access to information systems and the proprietary network operated by most organizations or other entities. This access control system strives to protect network-based information assets and control access to other network attached devices. A network access control system typically includes but is not limited to: a number of network edge-attached devices (e.g. computers, servers, IP phones, etc.), electronic-credentials (e.g. user or device name, network address, passwords, etc.), frame/packet-based network infrastructure devices (e.g. routers, switches, load-balancers, firewalls), electronic-credential verification and policy-based access control device (e.g. network access control servers), credential and policy creation station and appliances (e.g. network security servers), network user list/database (i.e., human resource personnel database) and network management workstations.
All network devices are commonly connected via wired/fiber optic or wireless media that communicate using frame/packet-based network protocols such as Ethernet and IP. The ability of network devices to communicate with one another does not necessarily imply that one network device can control another network device. The ability to control a device is a function of higher level applications and protocols (such as provided by the OSI 7 layer network communications model).
It should be well understood that network-attached devices, such as personal computers, servers, personal digital assistants, as well as IP phones, IP video surveillance cameras, etc. have wired/fiber optic or wireless communications functionality and are common network-attached edge devices. Many of these devices may offer keyboards, or other input devices that may be used to enter and submit credential information along with embedded circuitry that can provide and request network address information that forms the basis for electronic-credentials.
Network access credentials are used to grant/deny network access and access to various resources attached to the network. Typically, network access credential information is passed from the network edge device to a network access control server via intermediary devices, such as network infrastructure devices (routers and switches). Credentials used for network access control can vary with one of the simplest forms being the combination of a user's name and a password. The password may be used for multiple log-on (network access request) sessions or could be created for a single log-on access event. Credentials may also be a pre-defined network address (e.g. Ethernet MAC address, or IP address) of the network device that is attempting to connect to the network.
Network infrastructure devices (NIDs), such as routers and switches, provide connections from network edge attached devices to other network attached resources. Routers and switches commonly support and communicate via frame- and/or packet-based network protocols, which encapsulate information that is to be communicated to various other network-attached devices. NIDs may provide network connectivity to network-connectable physical security access control system components for the purpose of communication between the physical security access control system components; however, prior art NIDs are not able to control these physical security access system components for the purpose of physical access of a given resource.
It is very common for network access to be controlled by a log-in system that is designed to limit network access to authorized users and devices. These log-in systems are referred to as AAA servers (Authentication, Authorization and Accounting servers). AAA provides a modular way of performing authentication, authorization, and accounting services for verifying the identity of, granting access to, and tracking the actions of users who require access to the network and network devices.
Authentication provides the method for identifying users attempting to access the network (i.e., be able to tell that a given user is who he says he is). This is commonly performed with traditional username/passwords, and recently through more modern and secure methods such as challenge and response (like CHAP), one-time passwords (OTPs, and PKI certificates). Authorization provides the method for controlling which services or devices the authenticated user has access to (i.e. determine the scope of what a given user can do once he is logged on). Accounting provides the method for keeping track of users' behavior in the network and being able to tell what a specific individual is doing once logged on. The collected information can be used for billing, auditing, and reporting purposes. The concept of network user access control can also be extended to the administrative access to network devices and network management solutions for configuration and monitoring.
One such log-in system is the Cisco Secure ACS, a policy based network access control server. The network access control server maintains a network access centric table or list of valid electronic-credentials and an associated list of network resources a given credential holder/user can access based on certain conditions (e.g. policies). It is used to determine authorized network access levels for users or computers attempting to gain network access. This server's table can hold user names, user IDs, network passwords and rules associated with each user or device that may require access the network. These rules may be referred to as network access control policies (a list of valid electronic-credentials and an associated list of network resources a given credential holder/user can access based on certain conditions). The network access control server provides the user interfaces for logging on to the network and is also used to configure and provision the network access control system. The ACS server maintains a common log of events so security personnel can monitor, correlate and verify user activity on the corporate network with facility access.
The ACS server and its functions may be deployed in one location or distributed among more than one access control server. The ACS server may either hold all or a portion of the policies, rules and authorized users in a centralized or distributed fashion. The ACS server may hold information regarding unauthorized users so that security personnel can identify perpetrators who attempt to circumvent either facility or network security.
The list of users that are assigned valid credentials and associated policies for network access can come from many sources. In larger organizations or businesses, this potential list may be obtained from the regularly updated employee/human resource database (i.e. SAP, Peoplesoft, Oracle). The network access control server will occasionally synchronize its list of valid users with the human resources or other organization databases, but all policies are created, maintained and updated on the network access control server directly.
Network access control servers, such as the Cisco ACS server, are typically interoperable with many vendors' traditional frame/packet-based network equipment. It is common for an access control server to periodically send SNMP polls out to each IP-enabled device to verify the health and network connectivity. SNMP polling is well known in the networking art. Nonetheless, prior art network access control servers do not have the ability to support physical access control devices, nor do they interoperate with physical security servers or physical security management stations, door control panels, or provide ACP functionality. Furthermore, prior art network access servers are not aware of physical/facility access events.
Network security servers provide a range of functions generally associated with system configuration and administration. These servers often provide back-end billing and accounting, event logging and user interface communications. The network security servers often communicate with the network access control servers that are providing real-time network access control services. Prior art network security servers do not support physical security access control functions and furthermore, are not aware of physical access security events.
It should be understood that other network security functions may be a part of the network infrastructure. These functions and services include: firewall services, VPN encrypt/decryption, network Intrusion Detection Services but they generally rely on a network access control server for initial log-on authentication and authorization for network access. In some cases, these services may be integrated into network infrastructure devices. Additionally, a NID may act as a proxy or provide some AAA capabilities.
Network management workstations provide alarm monitoring and general network operation administration by network management and operation personnel. Network management workstations may be located at a remote site or distributed at several different facilities.
FIG. 2 illustrates a typical prior art network access control system. A network is not bound by physical location. A network may include several network-edge devices (NED) 150 such as computers 151, network phone (e.g. IP phone) 152, network camera 153, network connected I/O device (e.g. point of sale terminal, manufacturing process control sensors and machinery, etc.) 154 located virtually anywhere where network connectivity is available.
NEDs 150 are generally directly connected to network infrastructure devices 155 (NIDs). NIDs 155 are commonly routers, switches and/or wireless access points. NIDs 155 provide NEDs 150 with access to various other network resources 156 which are ultimately a collection of other NEDs, or application server computers, or other network connected communications devices (i.e. IP phones, video cameras, etc.) and can include Internet access. There may be a number of interconnected NIDs situated between various NEDs 150 or other network resources 156. The NIDs 155 are directly or indirectly connected via other NIDs to Network Access Control Servers (NACS) 157, Network Management Workstation 158 or Network Security Server 159. The network devices 157-159 may be remotely located from the NEDs 150 and/or placed in a centralized location such as a network operations center or datacenter.
When a network access control request event occurs, such as when a person wishes to connect his computer to the network in FIG. 2, the computer must generate a network access (log-on) request. For example, computer 151 will bring up a small screen requesting the user enter his name and pre-assigned password via the computer's keyboard. These electronic credentials (user name and password) are sent to the network infrastructure device 155 that passes the electronic-credential information on to network access control server157.
Network access control server 157 validates the user credentials by comparing them against the valid network credentials list. It also checks for the associated network access policies to determine if the credential holder complies with all applicable policies for the user to access the requested network resources 156 or other network resources. The network access control list and associated policies are stored on the server prior to the network access control event.
Valid usernames were provided by the human resources database, and were stored in the network access control server's list prior to the access event as well. The password for a given username was previously entered into the list via the ACS user configuration interface or via entry from some other network management server. The network resource access policies for a given user were assigned via a network manager based upon organizational policies.
If the user name and password match an entry in a network access list/table, the user is granted network access privileges. This grant is sent to various network infrastructure devices 155 which provide access to other network-attached resources 156 (e.g. servers with various applications, access to the Internet, etc.). The user can now access the requested resource. If the user name and password do not match an entry in the network access list, the user may be offered another chance to enter the information or NID 155 may be instructed to shut off connectivity to network edge device 151 for some period of time before another network access request can be made. Regardless of the validity of the network access request, network access control server 157 logs the request and the outcome. This log may be directly accessed by network management personnel or sent to network management workstation 158. A validated network access request may also be sent from network access control server 157 to network security servers 159.
As mentioned earlier, some physical security systems and some physical security system components have been designed to connect to an Ethernet/IP-based network in order to transport information from one physical security system component to another physical security system component. However, these Ethernet/IP-connected physical security components do not make use of all of the frame/packet network's resources, such as the AAA or network access control server and furthermore, are not aware of network access events.
Legacy physical security device access gateways, such as shown in FIG. 3, block 125, are available that can translate various access control system device vendor's signaling formats and protocols to another access control system vendor's component formats. These gateways provide greater interoperability between disparate physical security vendor system components and may allow physical security information to be transported over a frame/packet based network; however, these gateways do not allow network access control servers to control physical/facility access control devices. An ACP is still required to validate the credentials as previously discussed in the FIG. 1 example.
Also, with some prior art DCPs (as shown in FIG. 4, block 129) and some access control devices (e.g. badge readers, as shown in FIG. 5, block 131) may support frame/packet-based network connections, such as Ethernet. When information is passed to a DCP from its associated ACDs, it aggregates the data and puts the data in the payload portion of a packet or Ethernet frame before transmitting it to an edge router on a local Ethernet network or other wired or wireless packet based network.
Similar to the physical security access gateways, these network-connectable DCPs and ACDs allow physical security information to be transported across the frame/packet-based network but continue to operate under the direction of the physical access control system to validate credentials and impose policy based actions based. on those credentials. Hence, they receive access control list and policy updates from the physical security server or physical access control panels. These network-connectable DCPs and ACDs do not receive updates from network access control/AAA servers and furthermore, the DCPs and/or ACDs are not aware of network access events.
When initially deployed, these prior art network-connected access control gateways, DCPs and ACDs are commonly configured to communicate (broadcast a physical access event) over a single sub-net; thus, the number of devices under management by a single physical access control system is somewhat limited in size. However, a few network-connected physical access control gateways, DCPs and ACDs may be configured with the ACP's or physical access control server's network address or an address of a default network access gateway permitting it to be interconnected via a routed interface. It will be recognized that the default network access gateway is often referred to in the art as a domain name server (DNS). This gateway facilitates a much larger number of physical access control components to be placed under management by a single ACP/physical access policy server.
It has been recognized that the inability to jointly manage and unify the access control programs for both facility and network resources compromises the effectiveness of overall corporate security. Simply using, for example, smart-card technology to unify physical security access control and network access control credentials does little to unify physical access control and network access control systems or tie together physical security access control policies with network access control policies and vice-versa. Thus, even if both facility access systems and network access systems are diligently monitored and managed, organizations remain vulnerable to misuse or negligence by not tying physical security and network security policies together.
From a network security perspective, the inability to tie physical and network access together creates vulnerability, exposing the network system's owner to loss of valuable confidential or proprietary information or damage to the network itself. To illustrate this vulnerability, consider if certain employees forget to log out of the computer when they leave the facility at the end of the day. After they have left, the computer remains connected to the network and may be used by anyone who is present in the facility, even if they are not authorized to access the network. Clearly, it is not desirable to permit an unattended terminal to remain connected to the network after the authorized user has left the facility. If the network access control server had access to a user facility departure log, via “badging-out” or facial recognition video surveillance, the unattended computer's network access could be terminated, thus eliminating the vulnerability.
Simply establishing a policy that provides network access to all authorized users of a facility does not address the preceding vulnerability. Consider that while it is acceptable for the custodial staff, including out-sourced custodial services personnel, to have access to a building for cleaning and maintenance, it may be unacceptable for these same facilities-authorized personnel to have access to network resources and intellectual property.
To illustrate another vulnerability from a physical safety and security perspective, consider the possibility of one or more facility- and network- authorized users who enter a facility by “tailgating” through a door with another authorized user when they are entering a facility as a group (e.g. the tailgater does not present his credentials for validation). When tailgating occurs, facility security is not able to accurately determine who is in a facility at any given time. Thus, if a person that has not officially entered a facility is seen logged into a computer at the facility, corporate security must determine what happened. Further, in the event of an emergency such as a fire or explosion, corporate security and rescue personnel need to know who is in the facility and where they are located so that they can be quickly and safely evacuated. If physical and network security access control is not unified, physical safety and security personnel would have to consult both physical security logs and network access logs to more comprehensively determine who may be in a building.
Many network security breaches and thefts of intellectual property occur from remote locations. Despite the ability for network operators to limit access to certain network resources from certain network connections, many network security breaches occur because so-called computer “hackers” can trick the network access control server and NIDs into believing the hacker or user is connected to an “authorized” network connection. If the network access policies could be linked to the physical access server control logs, this would provide cross-validation of a user's physical location in an approved facility or room via the recent presentation of valid physical access credentials. Thus, a stolen or “hacked” password would not be sufficient for network resource access.
Clearly, there is a need for unification of physical security (access control) and network access systems that facilitates new security policies and improves both physical and network security. To overcome the disadvantages of the prior art physical and network security systems, the present invention discloses a unified access control system and method, the features and advantages of which will become apparent from the detailed description and review of the associated drawing figures that follow.